Friday, June 30, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a CSR from Java:

X500Name x500Name = new X500Name(distinguishedName);String signatureAlgorithmName = "SHA1WithRSA";Signature signature = Signature.getInstance(signatureAlgorithmName);signature.initSign(getPrivateKey());PKCS10 pkcs10 = new PKCS10(getPublicKey());pkcs10.encodeAndSign(x500Name,signature);return pkcs10;This was relatively easy to find out how to do. The one snag I hit was around the "encodeAndSign" method, which at first I thought needed an instance of X500Singer. It seems that support was dropped for X500Singer as of JDK1.7. It turned out that X500Singer is not needed, and that it just needs an instance of X500Name.

Wednesday, June 28, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Tuesday, June 27, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Create a Certificate in Java

A brief digression: what is a certificate?

How to create a certificate signing request

How to sign a CSR

How to import the certificate to a keystore

As the bullet points indicate, there are 3 steps to creating a certificate: creating the certificate signing request (CSR), signing the CSR, and importing the resulting certificate to the keystore.

A certificate is merely a public key that has been "signed" but another party. The signature takes the form of a one-way hash of the public key to be signed, encrypted with the private key of the signer. The public key is singed by the sender, to ensure that the public key is genuine.

Others can verify the certificate by computing the hash of the public key, and decrypting the value from the certificate with the signer's public key. If the computed hash matches the decrypted value, then the certificate is considered good.

For this scheme to work, the public key of the signer must be widely available, and the hashing algorithm and the signature must be readily available, which is why file formats are so important with SSL.

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Sunday, June 25, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

What is your first and last name?[Unknown]: development.sun.comWhat is the name of your organizational unit?[Unknown]: DevelopmentWhat is the name of your organization?[Unknown]: SunWhat is the name of your City or Locality?[Unknown]: MonroviaWhat is the name of your State or Province?[Unknown]: CaliforniaWhat is the two-letter country code for this unit?[Unknown]: USIs C=US> correct?[no]: yesEnter key password for

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Saturday, June 24, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Friday, June 23, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

OpenSSL is a must have for developers doing SSL development with Java. It comes with the command line of Git (for Windows developers) and with OSX (for mac developers).

A certificate is merely a public key whose hash value has been computed using a cryptographically strong algorithm like SHA-256 and encrypted with the private key of someone. In the case of a "self-signed" certificate, this is the private key associated with the certificate's public key.

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

An Example Error Message from Git

fatal: repository 'wrong' does not existWhile the problem is clear, the solution is still vague, but at least the error is understandable.

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

An Example Error Message from OpenSSL

16884:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/bio/bss_file.c:126:fopen('c:opensslbinopenssl.cnf','rb')

Thursday, June 22, 2017

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

If you have an Java and SSL Expert..

SSL is difficult in Java NIO

Few tools are available

Even Stack Overflow was no help

All I can say about experts in the field of Java and SSL is that if you have one...KEEP THEM! I found the combination of Java (NIO) and SSL to be very difficult. And the Java world has had over 10 years (NIO was releases in 2006) to fix this!

I found SSL to be ridiculously difficult in Java NIO. For something as ubiquitous as SSL I was hoping to find it an easier going. Oh boy was I wrong.

I had to fight SSL every step of the way. If things became easy, I immediately became suspicious. If I tried to do something "simple" in SSL, all the examples that I found generated warnings when I tried to use them. When I found what I deemed a bug in one library, the person I worked with dismissed it as "not a bug," the list goes on and on.

I found very few libraries or frameworks for SSL. The only real alternative to the classes in the JDK is BouncyCastle, but I found BC to be very poorly documented (there is a one page "User Guide" that basically points you to some examples and the JavaDoc).

Two frameworks that implement SSL are Apache Mina and Netty. Interacting with Netty was were I had the "this is not a bug" experience. I am dreading the day that I have to work with the Mina folks.

Examples with SSL are few and far between. Many problems I just couldn't find an answer to. I even posted a problem on Stack Overflow, expecting a dozen message with title like "Try THIS, bonehead" but no one replied.

This is the first of a series of posts about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

So what I've decided to do is to add an "optional" section on SSL with Java. I will use the five core topics (what is Miranda, why was it created, how it works, why it's reliable, and why it's secure) and then add on the "extra" topic. This should bring the talk up to 50 minutes, which should be acceptable.